Only trigger group rules for active user Skip to main content
https://support.okta.com/help/answers?id=906f0000000i06qias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Tiffany LTiffany L 

Only trigger group rules for active user

Is there a way to configure a group rule so it only fires for active Okta users? Currently, if I disable a user's Okta access, the group rules still fire for the user and they maintain their group memberships. This means I need to manually remove them from the groups, which creates exceptions in the group rules and is not very clean. Suggestions?
Nick AscencioNick Ascencio (Okta, Inc.)
Hi Tiffany,

What types of group rules is this affecting? There is currently no way to automatically remove deactivated users from the groups they were a member of. I would be interesting in hearing about some use cases where this would be beneficial.

Of course you are welcome to submit this to us as a feature request using the ‘Post Idea’ button in the link below if you haven't done so already.

https://support.okta.com/help/ideas/ideaList.apexp

Thank you,
Nick
Okta Support
Tiffany LTiffany L
Hi Nick,

As an example, we have an API call configured that pulls all group membership to a particular Okta group to determine who needs access on a separate on-prem system. We recently encountered an issue in which an employee was terminated, but they were still members of the okta group, which meant their access to the on-prem system remained. We got lucky in that case because our operations team ran a user audit soon after and I was able to manually remove, but it could have been a very severe security issue. I have already created an idea for this issue (https://support.okta.com/help/ideas/viewIdea.apexp?id=087F0000000BF7C)